Why the new “privacy” category in OWASP MASVS is essential for meeting GDPR requirements.
Why privacy is no longer optional
In today’s digital landscape, where regulations are becoming stricter and users demand greater transparency, privacy is no longer just a nice-to-have: it's a legal and strategic necessity. Once seen as a secondary aspect of security, privacy now encompasses much more than protecting against unauthorized access. It involves how personal data is collected, used, stored, and shared, and most importantly, whether users are informed and in control.
To address these challenges, the OWASP Mobile Application Security Verification Standard (MASVS) introduces a new privacy-focused category: MASVS-P. Its goal? To provide a clear technical framework to audit and strengthen personal data protection in mobile apps — in line with regulations such as the GDPR.
MASVS-P : a technical foundation for real data protection
Still evolving, the MASVS-P section doesn't replace legal analysis (like DPIAs), but it does offer a concrete foundation for integrating privacy best practices from the design phase, directly at the code level.
The 4 pillars of MASVS-P
🧠 TL;DR
- Only collect what is strictly necessary.
- Avoid any form of unnecessary tracking.
- Be transparent about data usage.
- Give users real control.
1. Data minimization
MASVS-PRIVACY-1
Only request the data strictly needed for your app to function properly and do so with the user’s informed consent. This includes managing third-party SDKs: it’s crucial to ensure they do not collect anything without consent. This principle also echoes current concerns around SBOM (Software Bill of Materials) to better control risks tied to software dependencies.
2. Avoiding user identification and tracking
MASVS-PRIVACY-2
Information such as IP addresses, device fingerprints, or usage patterns can lead to indirect identification. MASVS-P recommends using anonymization or pseudonymization techniques, particularly to avoid cross-referencing data from different sources (third-party services, internal modules, etc.).
3. Transparency
MASVS-PRIVACY-3
User trust relies on clear communication. MASVS-P emphasizes the importance of accurately describing how data is handled — even less visible processes like background data collection or silent synchronization. Privacy policies, store disclosures, and in-app information must be consistent.
4. User control
MASVS-PRIVACY-4
Users must be able to access, modify, delete their data, and withdraw consent at any time. If the intended use of their data changes, new explicit consent must be obtained.
🤝 How Smile and neopixl can support you
At Smile and neopixl, we help our clients design mobile applications that respect personal data, integrating MASVS-P principles right from the design stage:
- 🔐 Security by design: We apply MASVS L1, L2, R, and P standards throughout development and testing phases.
- 📦 Dependency auditing: We analyze third-party SDKs to ensure compliance with consent and data minimization requirements.
- 📊 Data mapping: We help formalize data flows to ease collaboration with your legal teams.
- 🧑🎓 Continuous training: We raise awareness among our teams about the impact of privacy on user experience, software architecture, and product strategy.
In conclusion
Privacy is not a barrier to innovation, it’s a driver of trust, compliance, and competitive differentiation. By adopting MASVS-P today, you prepare your mobile app for tomorrow’s challenges.
